Chris's Wiki :: blog/sysadmin/TheNeedForNetworkTaps Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/TheNeedForNetworkTaps?atomcommentsDWiki2008-10-28T19:42:58ZRecent comments in Chris's Wiki :: blog/sysadmin/TheNeedForNetworkTaps.By rdump on /blog/sysadmin/TheNeedForNetworkTapstag:CSpace:blog/sysadmin/TheNeedForNetworkTaps:754f8e56ad91ee5e68b92e36fa68d8f201a44584rdump<div class="wikitext"><p>In general, for performance, stability and security monitoring, taps are preferrable.</p>
<p>First consider that you're using optimized switches because you need to switch traffic quickly. A SPAN is a secondary function that saps switch CPU and internal bandwidth resources. Plus, a SPAN won't be as solid a feature, as it's not the core function of the device.</p>
<p>Second consider bandwidth contention. You're using the same switches to transfer your SPANned data as are carrying the first copy of the traffic. It's not hard to get into a state where the doubling of traffic through a switch or over a link, with only the first half of it able to do TCP congestion backoff, causes outages for both the original and the copy.</p>
<p>Third consider data quality. The switch is necessarily going to prioritize regular traffic over a SPAN when it comes to momentary contention. This means dropped frames on the SPAN that never the less went through on the regular ports. Measuring this is often not easy to get right. It can provide extra load itself, but it also has to be done at each point along the data path.</p>
<p>Finally consider what has to be turned off first in the event of problems. Given the contention issues noted above, when debugging a network outage or responding to a high bandwidth security problem it's very often going to be necessary to turn off the SPAN-based monitoring. But that's exactly what you don't want to do when you need the monitoring to assess the problem.</p>
<p>Our answer is to prefer taps with dedicated connections for the data feeds for any permanent installation. This avoids a continuing maintenance hassle for the SPANs. It also avoids contention for switch and bandwidth resources with regular traffic, keeping the monitoring out of the way of what's being monitored.</p>
<p>In the end, the only thing that'll push us to using SPANs instead of taps for our security monitoring is the lack of light budget in existing fiber runs for the splitter. That will likely be solved in the long term with careful engineering as network devices and links are upgraded.</p>
</div>2008-10-28T19:42:58ZFrom 198.178.191.2 on /blog/sysadmin/TheNeedForNetworkTapstag:CSpace:blog/sysadmin/TheNeedForNetworkTaps:675e5c80cf604ac5259d9ffb3b327ea364d150fdFrom 198.178.191.2<div class="wikitext"><p>You always have the option of constructing your own network tap. It's not as hard as one might think. I wrote a blog post a while back discussing how I did it for my home environment.</p>
<p><a href="http://blog.techscrawl.com/2008/04/23/simple-soho-ids-with-snort-a-diy-network-tap/">http://blog.techscrawl.com/2008/04/23/simple-soho-ids-with-snort-a-diy-network-tap/</a></p>
<p>Of course this solution maybe isn't enterprise ready, but it's cheap and it works.</p>
</div>2008-10-28T17:05:42Z